Legal & Policy Center

Incident Response & Breach Notice Summary

v2.0

Effective Date: [EFFECTIVE DATE] Last Updated: [LAST UPDATED] Version: 2.0

KidStarter maintains documented incident response procedures to identify, contain, investigate, remediate, and report security incidents and personal data breaches. Given that our Service involves children's data, we apply heightened vigilance and urgency.

1. Incident Categories

CategoryDescriptionSeverity
CriticalConfirmed breach involving children's Personal Data; CSAM detection; active exploitation of a vulnerabilityHighest — immediate response
HighConfirmed breach involving adult Personal Data; unauthorized access to production systems; ransomware or malware infectionUrgent — response within 1 hour
MediumSuspected breach; failed intrusion attempt with indicators of compromise; data exposure through misconfigurationPrompt — response within 4 hours
LowMinor policy violation; failed login brute force (blocked); phishing attempt (contained)Standard — response within 24 hours

2. Incident Response Process

2.1 Detection and Reporting

  • Automated monitoring and alerting systems;
  • Employee and contractor reporting through internal channels;
  • User reports via [SUPPORT EMAIL] or [REPORT LINK OR EMAIL];
  • Third-party notifications (processors, vendors, researchers).

2.2 Triage and Containment

  • Incident is triaged for severity and scope;
  • Immediate containment actions (e.g., access revocation, system isolation, credential rotation);
  • Evidence preservation for investigation and potential law enforcement cooperation.

2.3 Investigation

  • Root cause analysis;
  • Scope determination (what data was affected, how many individuals, what categories);
  • Assessment of risk to individuals (especially minors);
  • Forensic analysis where appropriate.

2.4 Remediation

  • Fix the vulnerability or close the attack vector;
  • Restore affected systems;
  • Implement additional safeguards to prevent recurrence;
  • Update security controls, policies, and training as needed.

2.5 Post-Incident Review

  • Lessons-learned review within 14 days of incident closure;
  • Update incident response procedures as needed;
  • Report to leadership and, where applicable, the board or advisory council.

3. Breach Notification

3.1 Regulatory Notification

JurisdictionAuthorityTimelineThreshold
EU/EEA (GDPR)Relevant supervisory authority72 hours from awarenessUnless unlikely to result in a risk to individuals' rights and freedoms
UK (UK GDPR)Information Commissioner's Office (ICO)72 hours from awarenessUnless unlikely to result in a risk to individuals' rights and freedoms
US — FederalFTC (if COPPA-related)As requiredBreach involving children's Personal Data
US — State lawsState Attorney General / affected individualsVaries (most: 30–60 days; some: as soon as practicable)Personal information of state residents
Canada (PIPEDA)Office of the Privacy CommissionerAs soon as feasibleReal risk of significant harm
Canada (Quebec Law 25)Commission d'accès à l'informationAs soon as feasibleRisk of serious harm

[Consult legal counsel for your specific state-by-state obligations before publication.]

3.2 Individual Notification

Where required by law, or where the breach is likely to result in a high risk to individuals' rights and freedoms (especially where children's data is involved), we will notify affected individuals:

  • Method: Email to the address on file; in-app notification; and, where email is unavailable, prominently posted notice on the Service.
  • Content: Description of the nature of the breach; categories and approximate number of individuals affected; likely consequences; measures taken or proposed; contact details for further information.
  • Timeline: Without undue delay and in accordance with the applicable legal timeline.

3.3 Processor/Partner Notification

Where the breach involves data processed by KidStarter on behalf of a Controller (e.g., a school under a DPA), we will notify the Controller without undue delay to enable them to meet their own notification obligations.

4. Escalation Matrix

SeverityInternal EscalationExternal Notification
Critical (children's data, CSAM)CEO, CTO, Legal, DPO (if appointed), on-call securityRegulators (within legal timelines), law enforcement (NCMEC/IWF if CSAM), affected individuals
HighCTO, Legal, DPO (if appointed)Regulators (within legal timelines), affected individuals if high risk
MediumSecurity team lead, Legal (if needed)Regulators only if breach confirmed and threshold met
LowSecurity team leadTypically no external notification required

5. Special Considerations for Children's Data

5.1. Breaches involving children's Personal Data are treated as Critical severity by default, regardless of the volume of data affected.

5.2. Notification to guardians/parents will be prioritized and written in clear, non-technical language.

5.3. Where the breach involves a Campaign for a minor, the affected Campaign may be paused immediately until the incident is resolved.

5.4. KidStarter will cooperate fully with child protection authorities in the investigation of any breach involving children's data.

6. Record Keeping

6.1. KidStarter maintains a breach register documenting all personal data breaches, including: the facts, effects, and remedial actions taken, regardless of whether notification was required.

6.2. The breach register is maintained in accordance with GDPR Article 33(5) and equivalent requirements and is available for inspection by supervisory authorities.

7. User Responsibilities

If you believe your KidStarter account has been compromised, or if you become aware of any security incident involving the Service, contact us immediately:

  • Email: [SUPPORT EMAIL]
  • Subject Line: "URGENT: Account Compromise" or "URGENT: Security Incident"
  • Emergency (child safety): [REPORT LINK OR EMAIL]

8. Contact

Security Incidents: [SECURITY EMAIL] Privacy Inquiries: [PRIVACY EMAIL] General Support: [SUPPORT EMAIL]

help.title

Getting Started
Sign Up/registerFull Guide (PDF)
Create an account at /register. Choose your role: Donor (support students), Teacher (create campaigns for students), Parent/Guardian (create campaigns for your child), Corporate Sponsor (sponsor schools and campaigns), or Charity (collect tax-exempt donations). Your role determines which dashboard features you see.
💡 Tip: Use your school email address if you have one — it speeds up organization verification later.
Onboarding Wizard/onboarding
After registration, the onboarding wizard walks you through 4 steps: select your role, link your school/organization, choose a plan (Free, Teacher, or School), and confirm. You can skip and return later.
📝 Example: A teacher at Lincoln Elementary would: 1) Select "Teacher", 2) Search "Lincoln Elementary" in the org directory, 3) Choose the Free plan, 4) Confirm and land on their Creator Dashboard.
Plans & Pricing/pricing
KidStarter offers three plans: Free (1 campaign, basic features), Teacher Starter ($5/mo — up to 10 campaigns, share kit, priority review), and School Plan ($20/mo — multi-teacher, school dashboard, bulk tools). All plans include Stripe payments and donation receipts (tax-exempt receipts for charity-backed campaigns).
📈 Benchmark: Similar platforms charge 5–8% platform fees. KidStarter charges 0% platform fee — only Stripe's standard 2.9% + $0.30 processing fee applies.
Language Switcher
KidStarter supports 8 languages: English, Portuguese, Spanish, Hungarian, French, German, Slovak, and Czech. Click the flag icon in the top navigation bar to switch. Your preference is saved in a cookie and persists across sessions.
💡 Tip: The language auto-detects from your browser settings on first visit. Override it anytime with the flag switcher.
Campaigns
Creating a Campaign/dashboard/creatorFull Guide (PDF)
Navigate to your Creator Dashboard (/dashboard/creator) and click "Create Campaign". Fill in: student first name + last initial, their story, funding goal, category (STEM, Arts, Sports, Tuition, Supplies, General), and optionally upload a hero image.
📊 Impact: New campaigns enter DRAFT status. They become publicly visible only after passing moderation review (PENDING_REVIEW → APPROVED). Rejected campaigns can be edited and resubmitted.
⚠ Watch Out: Never include a student's full name, address, or other PII in the campaign story. Our moderation team will reject campaigns with identifying information.
Campaign Status Flow
Every campaign moves through a lifecycle: DRAFT (created, not submitted) → PENDING_REVIEW (submitted, awaiting moderator) → APPROVED (live, accepting donations) → FUNDED (goal reached) → COMPLETED (funds disbursed). Campaigns can also be REJECTED (with reason) or PAUSED (temporarily hidden).
📝 Example: Maria's campaign was created on Monday (DRAFT), submitted Tuesday morning (PENDING_REVIEW), approved Tuesday afternoon (APPROVED), reached its $500 goal by Friday (FUNDED), and funds were disbursed the following week (COMPLETED).
Campaign Verification
Every campaign must be verified before going live. Upload evidence of school affiliation: enrollment letter, school ID, teacher badge, or guardian consent form. These documents are reviewed privately by the moderation team and never shown publicly.
📈 Benchmark: GoFundMe has no verification for education campaigns. DonorsChoose requires teacher accounts only. KidStarter verifies both the creator AND the student's school enrollment.
💡 Tip: Campaigns with clear, scanned documents get approved faster than blurry phone photos.
Share Kit
Each approved campaign gets a Share Kit: pre-generated images (square for social, story for Instagram/WhatsApp, QR code for print), one-click share buttons (WhatsApp, Email, X, LinkedIn, Facebook), and a copyable campaign link. The post-donation share prompt is your highest-converting tool.
📊 Impact: Campaigns that are actively shared raise 3–5x more than those that aren't. Each share can generate 2–5 additional donations on average.
💡 Tip: Share within the first 48 hours of approval for maximum momentum. Post the QR code in your school's physical spaces.
Campaign Updates
Post updates to your campaign with text and photos showing the impact of donations. Updates appear on the campaign page and notify past donors. Go to your campaign page → "Post Update" section.
💡 Tip: Post an update with a photo within 1 week of receiving funds. Donors who see impact updates are 4x more likely to donate again.
Donations
Making a DonationFull Guide (PDF)
Click "Donate Now" on any campaign. Choose a preset amount or enter a custom one (minimum $1). Enter your name (optional — leave blank for anonymous) and email (for receipt). You're redirected to Stripe's secure checkout page.
💡 Tip: You don't need an account to donate. But creating one lets you track your donation history and get tax center access.
Donation Receipt/receipt
After donating, you receive a receipt token (e.g. "abc123def"). Save this! You can look up your receipt anytime at Donors → Receipt Lookup (/receipt). The receipt shows: amount, date, campaign, and a unique token. For charity-backed campaigns, the receipt also displays the charity name, tax ID, and a "Tax-Exempt Donation" badge.
Tax Center/tax-center
The Tax Center (/tax-center) provides information about tax deductibility of donations, including FAQs about charity-backed campaigns, tax-exempt receipts, and how to use your receipt for tax claims. Donations to charity-backed campaigns generate tax-exempt receipts with the charity's name and tax registration number.
⚠ Watch Out: KidStarter provides general tax information only. We are not tax advisors. Consult a qualified professional for your specific situation.
Organizations
Organization Directory/organizations
The public directory (/organizations) lists all registered schools, nonprofits, and corporate partners. Each org shows: name, type, country, verification status, member count, and active campaigns. Users can search, filter by country, and claim membership.
Claiming an Organization
If your school or org is already in the directory, click "Claim" on its page. You'll need to verify via your institutional email address (e.g. name@lincoln-elementary.edu). Once verified, you're linked to the org and can create campaigns under it.
📝 Example: Ms. Chen searches "Lincoln Elementary", finds it in the directory, clicks Claim, enters her school email, receives a verification code, and is now linked as a member.
Admin — Discovery & Enrichment
Discovery Console/dashboard/admin/discovery
The Discovery Console (/dashboard/admin/discovery) is the admin tool for finding, scraping, and enriching organization data. Access it from the Admin Dashboard → "🔍 Discovery Console" button. It shows all organizations in a table with enrichment status.
Seed Organizations
Click "Seed Organizations" to populate the directory with sample schools and partners. This creates org entries with names, types, countries, and website URLs. Useful for initial setup or demo purposes. You can also add orgs manually via /organizations or the API.
💡 Tip: For production, import real school data via CSV or the API at POST /api/organizations instead of using the seed function.
Web Scraper / Enrichment
The enrichment engine scrapes an organization's website and extracts structured data. Click "Enrich" next to any org with a website URL. The scraper fetches the page HTML (15-second timeout) and extracts: meta description, org-level contact emails (info@, contact@, admin@ — never personal emails), social links (LinkedIn, Twitter, Facebook), and page title.
📊 Impact: Enriched organizations have more complete profiles, which builds trust with donors and helps campaigns get more visibility. Orgs with descriptions and social links get 2x more campaign views.
📝 Example: Enriching "Lincoln Elementary" (website: lincoln-elementary.edu) extracts: description from meta tag, contact@lincoln-elementary.edu from page text, LinkedIn URL from footer links, and "Lincoln Elementary School — Excellence in Education" as page title.
⚠ Watch Out: The scraper respects a 15-second timeout. If a site is slow, blocks bots, or uses heavy JavaScript rendering, the scrape may fail. Retry later or add data manually.
Enrichment Fields & Confidence
Each extracted field has a confidence score (0.0–1.0). Scores reflect extraction reliability: meta descriptions score 0.8 (reliable), emails score 0.7 (need human review), social links score 0.9 (URL pattern matching is accurate), page titles score 0.6 (may include site navigation text).
💡 Tip: Always review extracted emails before approving. Verify they belong to the actual organization, not an ad network or third-party service on the page.
Approving Enriched Fields
After scraping, review extracted fields inline. Click "Approve" to push a field to the org's public profile (description, contact email, social links). Click "Reject" to discard. Approved fields immediately update the organization's listing in the public directory.
📊 Impact: Approving a description field makes the org more discoverable in search. Approving contact emails enables the platform to send verification and notification emails to the organization.
Verifying Organizations
After enrichment, change an org's status to "Approved" to make it visible in the public directory. Unverified orgs are hidden from public view but still accessible by direct URL. Verification confirms the org is a real, legitimate institution.
📝 Example: Workflow: 1) Seed/import org with website → 2) Click Enrich → 3) Review and approve fields → 4) Change status to Approved → Org appears in public directory.
Admin — Moderation
Moderation Queue/dashboard/modFull Guide (PDF)
The moderation queue (/dashboard/mod) shows all campaigns with PENDING_REVIEW status. Moderators and Platform Admins review each campaign's story, student info, evidence documents, and funding goal before approving or rejecting.
Reviewing a Campaign
Click a campaign in the queue to see full details: student first name + last initial, story text, category, goal amount, hero image, and uploaded verification evidence. Check for: specific and verifiable need, appropriate goal amount, valid school affiliation, no PII exposed.
⚠ Watch Out: Red flags: vague or generic stories, unusually high goal amounts (>$5,000 for individual students), no school affiliation, duplicate content from other campaigns, or requests for cash rather than specific items/services.
Approve / Reject / Pause
Approve makes the campaign live and publicly visible. Reject returns it to the creator with a reason code — they can edit and resubmit. Pause temporarily hides an approved campaign (preserving data) if issues arise post-approval. All actions are logged in the audit trail.
💡 Tip: When rejecting, select a specific reason code. "Insufficient evidence" is more helpful than "Rejected" — it tells the creator exactly what to fix.
Admin — Analytics
Admin Dashboard/dashboard/adminFull Guide (PDF)
The Admin Dashboard (/dashboard/admin) shows platform-wide metrics: total raised, total donations, active campaigns, pending reviews, total users, and a 7-day donation chart. Quick actions: Discovery Console, Guides, and Finance CSV Export.
Finance CSV Export
Click "📊 Export Finance CSV" on the Admin Dashboard to download a CSV of all donations with: date, amount, donor email, campaign, status, Stripe payment ID. Useful for accounting, reconciliation, and tax reporting.
⚠ Watch Out: The export contains donor emails (PII). Handle in accordance with GDPR and your data protection policy. Do not share publicly.
Corporate Sponsorship
Sponsor Program/dashboard/sponsorFull Guide (PDF)
Corporate sponsors create programs with a budget, target regions, and categories. Programs can be: Direct Sponsorship (fund specific campaigns), School Adoption (pledge to a school), or Matching (match community donations). Managed at /dashboard/sponsor.
Adopt-a-School/dashboard/sponsor/adopt
From /dashboard/sponsor/adopt, a corporate sponsor selects a school from the org directory and pledges a funding amount. This creates a SchoolAdoption record. The sponsor can then allocate funds to specific campaigns at that school, track spending vs budget, and export impact reports.
📝 Example: TechCorp adopts Lincoln Elementary with a $10,000 annual budget. They allocate $2,500 to "Laptops for CS Lab", $1,500 to "Art Supplies Room 204", and keep $6,000 for future campaigns. The Sponsor Dashboard shows 40% allocated, 60% remaining.
Vendor Partners
Vendor Portal/dashboard/vendor
Vendor partners (meal providers, school supply companies) manage their offers at /dashboard/vendor. They create voucher codes that students can redeem at participating locations. Vouchers are funded from campaign budgets.
Meal Vouchers
Meal vouchers are codes (e.g. "LUNCH-A3F2") redeemable at vendor locations for student meals. Created by vendors, funded from campaign budgets, distributed to students. Each voucher has: amount, expiry date, student assignment, and redemption status.
📝 Example: A campaign raises $200 for student meals. The creator purchases 40 × $5 meal vouchers from FoodPartner. Each student receives a code they show at the cafeteria. The vendor marks codes as redeemed, and the dashboard shows redemption rates.
Platform Settings
Trust & Safety/trust-safety
KidStarter's trust and safety page (/trust-safety) explains: campaign verification process, PII protection, payment security (Stripe PCI-DSS), content moderation, and reporting mechanisms. Every campaign shows a "Verified" badge after passing review.
User Roles
Platform roles: DONOR (browse, donate), CREATOR_TEACHER (create campaigns, post updates), CREATOR_GUARDIAN (create campaigns for their child), ORG_SCHOOL_ADMIN (manage school-wide campaigns), CORPORATE_ADMIN (manage sponsor programs), CHARITY_ADMIN (manage charity, enable tax-exempt receipts), MODERATOR (review campaigns), PLATFORM_ADMIN (full access), FINANCE_OPS (financial exports and reporting). Roles are assigned during registration or by admins.
💡 Tip: Users can have only one role. To change a user's role, a Platform Admin must update it from the Admin Dashboard user management section.